cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

843
Views
0
Helpful
4
Replies
Highlighted
Beginner

Catalyst 3750 QoS Question

Hello,

I have a scan server (IP = 1.2.3.4 for this example) which wreaks havoc whenever it runs, which is evident in the number of output drops I see.  I thought about policing the thing, but this is a production environment and the 3750-G switch does not support Netflow or any tool which would provide accurate bit-rate estimates to work from.

So, my thoughts are instead to implement queuing for the scan server and limit its access to common buffers, etc.  I would appreciate some feedback on the config.  (I have included notes in an attempt to illustrate my thinking.)

!**| Catalyst 3750-G |**
!
! *** Enable QoS
!
mls qos
!
! *** Create custom queue-set
! *** increase buffer 1 and disable buffer 4
!
mls qos queue-set output 2 buffers 50 25 25 0
!
! *** For queue 1, make full buffer available to threshold 1,
! *** reserve full buffer for local queue only, enable
! *** queue to borrow 3x more buffers from common pool.
!
mls qos queue-set output 2 threshold 1 100 100 100 400
!
! *** For queue 3, make full buffer available to threshold 1,
! *** reserve 30% of buffer for local queue only, enable
! *** queue to borrow 4x more buffers from common pool.
!
mls qos queue-set output 2 threshold 3 100 100 33 165
!
! *** Assign DSCP Values 16, 18, 20, & 22 to Queue 1;
! *** assign DSCP Values 8, 10, 12, & 14 to Queue 3.
!
mls qos srr-queue output dscp-map queue 1 threshold 1 16 18 20 22
mls qos srr-queue output dscp-map queue 3 threshold 1 8 10 12 14
!
! *** To be thorough, assign associated COS values to same queues.
!
mls qos srr-queue output cos-map queue 1 threshold 1 2
mls qos srr-queue output cos-map queue 3 threshold 1 1
!
! *** Access-list 130 identifies the scan traffic (bi-directional).
!
access-list 130 permit ip any host 1.2.3.4
access-list 130 permit ip host 1.2.3.4 any
!
! *** Create class-map to match previously-configured access-group.
!
class-map match-any CM-SCANS
 description ** Non-Critical Scan Traffic
 match access-group 130
 exit
!
! *** Create policy-map to assign DSCP values to Scan and Default traffic.
!
policy-map PM-QOS-IN
 description ** Ingress QoS Policy
 class CM-SCANS
  set ip dscp af11
  exit
!
 class class-default
  set ip dscp af21
  exit
 exit
!
! *** Assign queue-set 2 and/or service-policy (input-only) as needed.
!
interface gix/x/x
 queue-set 2
 service-policy input PM-QOS-IN
 exit
!

PS - There is no voice traversing this switch, so I don't see a need to reserve queue 1 for voice or enable priority-queue, etc.

Any help is very much appreciated.  Thank you in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Expert

Disclaimer

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Okay, then you are a bit stuck with trying to manage that server's traffic.  Unless you want to consider policing the server port's ingress and/or "shaping" its egress port.  The idea being, if you can slow that server's traffic, you might avoid all the the other QoS configuration needs.

Otherwise, you're on the right track, in what you're trying to do.

Perhaps you might want to tag traffic to/from that server as "scavenger" (CS1).  Ideally, you might be able to distinguish the "scan" traffic from other traffic to/from that server.

As to your QoS policy's egress treatment, instead of creating a "special" configuration just to manage this traffic, you might consider having a general policy that has a low priority (scavenger) class, which is where you direct this traffic.  I.e. a 4 class policy that supports real-time (PQ), foreground (twice to 10x default's %), default and background (1%) scheduling priorities.

For 3750 buffer management, I found setting all thresholds to the max, and moving most if not all buffers to the common pool, generally works fairly well.

View solution in original post

4 REPLIES 4
VIP Expert

Disclaimer

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Assuming your edge ports are 100 Mbps or gig, could you run the scan server's port at 10 Mbps?

Beginner

It's a practical

It's a practical consideration, but server's access ports are 1/10G capable, currently set to 1000Gbps.

VIP Expert

Disclaimer

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Okay, then you are a bit stuck with trying to manage that server's traffic.  Unless you want to consider policing the server port's ingress and/or "shaping" its egress port.  The idea being, if you can slow that server's traffic, you might avoid all the the other QoS configuration needs.

Otherwise, you're on the right track, in what you're trying to do.

Perhaps you might want to tag traffic to/from that server as "scavenger" (CS1).  Ideally, you might be able to distinguish the "scan" traffic from other traffic to/from that server.

As to your QoS policy's egress treatment, instead of creating a "special" configuration just to manage this traffic, you might consider having a general policy that has a low priority (scavenger) class, which is where you direct this traffic.  I.e. a 4 class policy that supports real-time (PQ), foreground (twice to 10x default's %), default and background (1%) scheduling priorities.

For 3750 buffer management, I found setting all thresholds to the max, and moving most if not all buffers to the common pool, generally works fairly well.

View solution in original post

Beginner

Thanks for your feedback.

Thanks for your feedback.

I expect some major architectural changes to this environment within the coming year, so though we are constantly addressing and maintaining QoS in other areas of the enterprise, this particular switch doesn't really warrant a full QoS deployment, especially since we don't have any VoIP or Video traversing this switch.

The scan server also runs scans on other areas of the network (without issue), so that's why I am considering some type of congestion management on this particular switch, versus closer to the source on the server's own host interfaces.

I elected to classify the scan traffic as scavenger AF11 in case I wanted to dwell into get into policed-dscp configurations and leverage drop probabilities, though I would like to avoid that complicated scenario altogether.  I realize now that I should probably account for some bandwidth management via the "srr-queue bandwidth shape/share" commands.  I'll investigate this more.  Thank you for bringing this to my attention.

CreatePlease to create content
Content for Community-Ad